ICS Advisory (ICSA-17-136-04)

CVSS v3 5.6

ATTENTION: Low skill level to exploit.

Vendor: Schneider Electric

Equipment: VAMPSET

Vulnerability: Memory Corruption

AFFECTED PRODUCTS

Schneider Electric reports that the vulnerability affects the following VAMPSET setting and configuration software products:

• VAMPSET, versions prior to v2.2.189

IMPACT

Successful exploitation of this vulnerability could allow a local attacker to cause the software to enter a denial-of-service condition. The Windows operating system remains operational through the attack.

MITIGATION

Schneider Electric has updated the VAMPSET tool in order to recognize malformed setting files. A new version of firmware with the fix for this vulnerability is available for download at the following location:

http://www.schneider-electric.com/en/download/document/VAMPSET_v2.2.191/

After the new version of firmware is installed, when a malformed file is loaded VAMPSET will remain operational and report to the user: “Cannot open file.”

Schneider Electric has issued Security Notification SEVD-2017-061-01, which contains additional information:

http://www.schneider-electric.com/en/download/document/SEVD-2017-061-01/

ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open unsolicited attachments in email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not remotely exploitable.

VULNERABILITY OVERVIEW

VAMPSET is susceptible to a memory corruption vulnerability when a corrupted settings file is loaded. This vulnerability causes the software to halt or not start when trying to open the corrupted file.

CVE-2017-7967 has been assigned to this vulnerability. A CVSS v3 base score of 5.6 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H).

RESEARCHER

Kushal Arvind Shah from Fortinet's Fortiguard Labs reported this vulnerability directly to Schneider Electric.

BACKGROUND

Critical Infrastructure Sectors: Energy

Countries/Areas Deployed: Worldwide

Company Headquarters Location: France

This product is provided subject to this Notification and this Privacy & Use policy.